Vishing: Over-the-Phone Scamming

It's always scam season, so it helps to stay vigilant all year round. Cyberattackers scarcely rest. They are constantly developing novel approaches for stealing confidential information and vast sums of money from businesses worldwide, disrupting operations and causing considerable damage.

The rise of artificial intelligence has made their strategies even more complex. Scammers can now clone voices and defraud companies with even the most robust security systems. One of the best ways to reduce cybersecurity breaches is to stay current with the new techniques to help you prepare adequately to respond to an imminent attack.

What Is Vishing?

Vishing is a cybersecurity attack that uses phones or verbal scams to steal personal and confidential information from victims. It is often called "voice phishing" and employs social engineering to gain your trust, allowing them to extract funds and information or cause harm.

A classic example is when a malicious actor calls your business and poses as someone from your IT team. They convince you of an attempted attack and direct you to follow specific instructions or provide them with some relevant information, such as passwords or bank account details. With that information, the attacker can enter your system and cause severe damage to your operations.

Typically, an attacker will do their research before contacting your organization. For example, they may begin by sending phishing emails in an attempt to gather certain information, allowing them to get the details they need for the larger scam.

The attacker may also call your organization after or in place of the phishing email and appeal to your human instinct of fear, trust, or desire to take a specific action under the guise of offering assistance. They may ask you to transfer money or some information to them or obtain your credentials, allowing them to get what they need without further assistance.

Common Vishing Techniques

Four commonly utilized vishing techniques include:

1. VoIP Vishing: Voice over Internet Protocol (VoIP) is a technology that allows you to make calls through an internet connection instead of regular phone lines. This allows the scammer to block or fake their location information, which means they can call from an international location or area code you are not familiar with.
2. Caller ID Spoofing: Attackers can falsify information sent to your incoming call display to conceal their true identity. The caller ID may appear local or match that of a trusted corporation or government institution, and in some instances the caller ID might even match your own phone number.
3. Wardialing: The scammers use software to dial multiple phone numbers in quick succession to identify numbers attached to modems, computers, and office appliances. This allows attackers to detect security vulnerabilities.
4. Dumpster Diving: Attackers dig through physical dumpsters belonging to office buildings, financial institutions, and other organizations to gather non-public contact information of targeted individuals to aid them in their upcoming vishing campaigns.

Vishing Attack Examples

Several examples of typical vishing attacks include the following:

1. IRS tax scams
2. Bank impersonation scams
3. Loan and investment scams
4. Medicare or social security scams
5. Tech support attacks
6. Telemarketing vishing attacks

How to Identify Popular Vishing Scams

Here are three tips on how to identify vishing attacks:

1. The Caller Claims to Represent an Institution

   Scammers usually call and pretend to represent an organization like Medicare, the IRS, the Social Security Administration, or an institution in business with your organization. The caller may make an offer or request information to fix a problem. Unless you have made initial contacts, confirming before acting is best. It can be helpful to hang up and call that institution back via the phone number listed on their trusted website.

2. The Caller Creates a Sense of Urgency

   

   A common strategy that attackers use is creating a frantic sense of urgency. That is a huge red flag. Creating urgency allows them to manipulate the target without giving them sufficient time to think or verify whether the request is valid. It is essential to remain calm when you get a phone call, hang up, and report immediately if you suspect something dishonest.

3. The Caller Requests Information

   Usually, attackers call when they need information. They may ask you to confirm your name, date of birth, address, bank account details, social security number, and other personal information. Sometimes, they leverage the knowledge they have on hand to trick you into believing they are legitimate.

   For ejust 3 xample, they may know relatively public information about you, such as your address or phone number. They could tell you this information to try and create trust before asking for increasingly confidential information. They may also pretend that they already have the information you give them by saying, "yes, that's right". It is always important to double-check before you give out anything.

AI and Phone Scammers

Artificial intelligence is evolving rapidly and becoming more complex. Despite its numerous benefits, scammers have leveraged AI software to deceive individuals and organizations. Advanced technology allows attackers to clone a voice with an audio sample, type any message, and merge it with a phone call. Then, they call the target and communicate with them with a fake voice, as if chatting with the real person.

AI voice-generating software examines a person's unique verbal traits, such as their accent, tone, gender, and age. It searches a huge voice database to locate similar ones and predict patterns. The software can re-create the timbre, pitch, and sound of the person's voice and generate an overall similar effect. All it needs is a short voice sample.

For individuals, the attacker may impersonate someone trustworthy, like a family member or close friend, and convince them to send money or give away information. One harrowing example involves a kidnapping hoax. A mother in Arizona received a phone call from an unknown number. When she answered the call, she heard her daughter's voice on the line saying that she had been kidnapped. Then, she heard a man's voice demanding ransom money. Before agreeing to anything, the mother called her daughter and confirmed she was safe. The scheme had used AI to mimic her daughter's voice.

This technique can be used to defraud businesses as well. For example, attackers may easily replicate a superior's voice and ask a subordinate or colleague to perform a specific act. Without confirmation, the person may place your company's security keys in the hands of a cybercriminal.

How to Prevent Vishing

The following tips can help you avoid vishing attacks:

1. Do Not Answer Unknown Numbers

   As a rule of thumb, avoid responding to calls from unfamiliar phone numbers. When in doubt, let the call go to voicemail and listen to the message carefully. You want to avoid situations where robots or conniving individuals persuade you to share information.

2. Do Not Give Sensitive Information Over the Phone

   Whenever you receive a call from a person claiming to represent a government institution or another company, and that person asks for sensitive information such as login credentials and account details, do not provide the information, no matter how official they sound. Confirm with IT support or the relevant department in your company before you share anything. Also, it will help to ask for proof of identity.

3. Block and Report Numbers That Seem Like Spam

   Scammers can be persistent, so it helps to block and report spam numbers immediately. You may unblock the contact after confirming the person's identity. It is always better to prevent harm than to attempt a remedy.

4. Install Software on Your Phone That Recognizes and Blocks Spam or Scam Calls

   Besides manually sending spam numbers to the blocked list, you can use robocall blocking tools such as call filters to detect and block automated calls. These tools can help prevent wardialing and VoIP phishing.

5. Ensure Regular Vishing Training

   Educate employees to enhance their security awareness, especially regarding the new techniques that scammers use. You can also implement a zero-trust policy and make it a central part of the organization's culture. Create policies and manuals and make them easily accessible to your team.

Reinforce Your Cybersecurity with Compass IT Compliance

Compass IT Compliance is an industry leader with decades of experience in delivering cybersecurity solutions to businesses in the United States. We provide a wide range of services, including penetration testing, vulnerability scanning and assessment, PCI compliance, IT risk assessment, and vishing or phishing assessments to help protect your sensitive data. Contact us today to learn how we can help you enhance your IT security program!